Analysis Overview
SHA256
63634e6216314ba19543cd53527712010c3a1b9538b52081478072f2ef1fbbe8
Threat Level: Known bad
The file 78f92ab7f036ac56b81b11c26bde3f04 was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-27 01:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-27 01:52
Reported
2024-01-27 01:55
Platform
win7-20231215-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe
"C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
Files
memory/2164-1-0x00000000005B0000-0x00000000006B0000-memory.dmp
memory/2164-2-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2164-3-0x0000000000310000-0x00000000003B0000-memory.dmp
memory/2164-4-0x0000000001FB0000-0x0000000001FB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\_Files\_Information.txt
| MD5 | d0de8cc2ed8f22cc0d9d4c28b7d72ad6 |
| SHA1 | e8379373de1fed5284b4211d4bdfd76179ce2011 |
| SHA256 | 748a40753d8feff9eba6b496a05d3c101a5245371f3a67c8f27b30037769183b |
| SHA512 | 1b65ececf3db85385536f58b81588a97cfcfee56f09638ef98dcaa673523188b587a6384f8ff9715963588400cdfebd8ace3f42bcf67b2e43766a0bed4f899cc |
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\_Files\_Information.txt
| MD5 | fd95f68c43906a5570cff1e5cd184aa3 |
| SHA1 | 313ee501d56fafe5332117a2e332b383d36ef75f |
| SHA256 | 6afc67c97d3be96eb41ac83ecc7d589c7fd2f7d653e22f21f1b09dd3446369a1 |
| SHA512 | 8425d4475661b96bb0b3116b682c05ed33780ed2b447ee98ed1cee3b3de1662795efbf5408b846450ec5076618b6776af5de26e28afb3f59426f1311ebe55213 |
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt
| MD5 | 7c9912ef456bc3bab65bd5fbdcf02ac4 |
| SHA1 | 172d77b4c72746c0ca128baa6c7e2246411d1b9e |
| SHA256 | 7f9548856ec227458c6bc5fd64cef0ed8fabc7a6dfee157ffe834efd836f59bb |
| SHA512 | 75594853f20b51b934caa3f329545d0a50c6b995bad9364244f2f77ef754081ba39182aec4efddc033ced60444be8d453786015f7eb4a92349a5f45675bf5756 |
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt
| MD5 | 4e3555b631f3bba55f132e0754b519f1 |
| SHA1 | ca2bde11e0617bf24142aff81516a4617f618a14 |
| SHA256 | 7f0dfb37d2c8f755333851106d44bd74eddab176f2915d54c84b8e47bb7d5ba1 |
| SHA512 | b2b7b2a59eda0f82e54706ea84a99e50ae0832cb8ed0bdc31b9fdcd697f756f4cb9ac583d6d8789f5ab115a10a075786f00a0138f8f860e7af9c0f67bfba9ba4 |
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt
| MD5 | 7ec690cb013c5fd23dd8fe271cd5a55f |
| SHA1 | 186ee75cf5d3fb93f1d6257e5c4652628c4e0e4c |
| SHA256 | 5079ad9ace3287baf7833b5a511e3faac342ed51fe42bbab895a63edae348634 |
| SHA512 | 0ece96a332f719a06f4fea5f2d39f5a445588a55ede583fdcaa804acef7b379f9311f01394968ba8a8b048ad47e9574043a0663b4a64ed09a111ec09db8e7bde |
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt
| MD5 | 4426c8d7b94ae359dec2bb162c27d6f4 |
| SHA1 | f004cfb6dc7d4f50e91b9020045b752ab564e855 |
| SHA256 | e78a6542a48d697910550bc7485688e68350d5c803da3284bdec4d0e33873be1 |
| SHA512 | 47ce66710c9bb5ebf803e259c6bf9bc0b386d2c405c60cf6cf78e25d90c89e06811623692fc1e351a9623bea501a688e404152ab42d0d7d7f9b8e272f6babd38 |
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\files_\system_info.txt
| MD5 | c086e84d1c465310a8724ae54ac762e8 |
| SHA1 | c0253a97a77e7a980dc860103a4dad0b90935679 |
| SHA256 | 6a7abc43463edc2b446ce9354ecf293986499dd6dc8c9bd9c4ab96e10f4e4128 |
| SHA512 | 99bd613e563dbb883e62259b1b9bbb48cc4bd23cea3150f7d945828c35193d2007ff81dc4c62fc2aaf5b3d3d4c420e2bd3809f4fe9b31cc0b3ef798aa01073ed |
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\_Files\_Screen_Desktop.jpeg
| MD5 | 242f8cf826146fef8e06f754b98d6f21 |
| SHA1 | 29db1573df81ace41f4a2c7650fe45ceb2e2a13f |
| SHA256 | 010a7cf8503e0750980779aacd44f9999ec177fcb7a6e34c93ba361a3b273731 |
| SHA512 | 879e1335a1f39fadeac70782c4d2cc4a5a14ff6e7d46207f7f845de29b037498095b47f8c1248cf5d7af5358cc39be56d5770022fde3f5b1e39d06aa737dc550 |
memory/2164-221-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2164-223-0x00000000005B0000-0x00000000006B0000-memory.dmp
memory/2164-226-0x0000000001FB0000-0x0000000001FB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IaBQQ0Vqmck\V4MK2neojgqr.zip
| MD5 | 72ae031302d13f537d1905acc1c3a360 |
| SHA1 | 4363827fd7dc6aa315ef04611a2bfa2f4cf39d7c |
| SHA256 | f8b70550a42f0b58145bf360cfb83be18541951e7dda4f4c48fab6652aee736d |
| SHA512 | 27d16f7e8554909cd43df18eddbd7cad86302ddb46affb6dc12b439b81a22f79bef4734ccdeb0a97e936b2c6c17b5986b79c49d6f515c64ea1734386a2f0decd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-27 01:52
Reported
2024-01-27 01:55
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe
"C:\Users\Admin\AppData\Local\Temp\78f92ab7f036ac56b81b11c26bde3f04.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | ewafxq25.top | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
| US | 8.8.8.8:53 | morzup02.top | udp |
Files
memory/2348-1-0x0000000000500000-0x0000000000600000-memory.dmp
memory/2348-2-0x00000000020F0000-0x0000000002190000-memory.dmp
memory/2348-3-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2348-4-0x0000000000400000-0x00000000004C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\_Files\_Information.txt
| MD5 | 2e6d1f9715cd85fb66beaa5f00f14a08 |
| SHA1 | 43c1adbcaf15ff5356df185ae0cb8ea3d35d2d60 |
| SHA256 | 393db304c4e6a5132f01f495514f9aed22c1f68226e33c570891dc24bb693b18 |
| SHA512 | 23a42878c2a6bef2c254aa89f79952266a1dfa605ca468cc6fa2ed623dfe78129fe430bcb58018e8f9250f6afe90152618023b9508e2db0a7bf736f6669a87bc |
C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\_Files\_Information.txt
| MD5 | 519a50303fb00332581cee46fdd7ba85 |
| SHA1 | 083f55f36d37d6b1b5d4bed11d0b00489ca4fa10 |
| SHA256 | a246ecfbf198d93561a13f13fbc1afcdd6ee9a31cb28417f5f34f51fb25961e1 |
| SHA512 | 63dec744c186dc4a08df2f5c6550538a9d026328c671799b254919b0f6f280a72ba3d35f2694aaae23af9f123221c235742b078fcdb02fc8d241b6b6f4674acb |
C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\_Files\_Screen_Desktop.jpeg
| MD5 | d024721a7143412d574f21e43afe606b |
| SHA1 | b31fe8ee8fe2493945b3a298b2715a603b5c3674 |
| SHA256 | 41dff22f03e4c72be0d461046088d2b70e74ee41bfa41c21d55dbea39d6add0e |
| SHA512 | 376abc4be47d397867538f826562382f7e110815c18c48e8ccf488e9e11d45f291053d24cb1a24ab9ed2805f556ff19e77606c57c4c75c0365c12ca51bd88d4f |
C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\files_\system_info.txt
| MD5 | ec5c17b55260bb99d4481655f594936a |
| SHA1 | 7560dd42cdee6827fbb16ec48436aa7c6962dfcc |
| SHA256 | e68b979104a1511b20ef9ec8d04cb9a7079ca32e9f9a121f6ed6aa7a1c17f160 |
| SHA512 | a6d218b1fff01263dc7decbbe53c943a97b91d9f70cb339d8b6daf37d98f9cbfa8db1ed9a83d27dc70c5d3ecdba849cac527ff9f10da4d1a2ee2ba600dfbcb22 |
C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\files_\system_info.txt
| MD5 | 6286f4f6c98ffe4acebb8de123400907 |
| SHA1 | 6b5af520ce29b3e270ed4d60b10ace5e83b87eeb |
| SHA256 | 903777a510fa7d4b056f8bd0e8a1cc09d1fa2f4b73799cf7fb21050f604d21e6 |
| SHA512 | 64a052f587c96c82922fa442fbc1cd854391a80e07ddd0656fbc21c1694d5d0b7389c73e3c1c0da73dbe504ffddf4e3284834d2f3c5b10f15569414052b3c8b4 |
C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\files_\system_info.txt
| MD5 | 5e4a241ab0c42ca0741fb5a038c321a9 |
| SHA1 | 575fda6baf57a5a58e39b08a36ccda5b7f78abf2 |
| SHA256 | e2449fc8a0f2a499c7f4b99ec19b24e36d18da20f14f311d1a17d9346721847c |
| SHA512 | 3851914e085280c176e60f39ea225864de32aca0187d05cdf8af0bc8635557699387474063321fe9486ecb99a43194f557587f7277fd69976946e763d0b4437c |
memory/2348-208-0x0000000000400000-0x00000000004C1000-memory.dmp
memory/2348-210-0x0000000000500000-0x0000000000600000-memory.dmp
memory/2348-211-0x00000000020F0000-0x0000000002190000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\KiGmKA8NfANjW.zip
| MD5 | 47edf0f7993b3fc971a0c81d9dbf9723 |
| SHA1 | 01a4f849c6ec64818c32e27f494ed5b3781b3bd0 |
| SHA256 | 79691e0f07b2dd1ac31711570553212d4e23b46631d8f8955efd878d00fd2a4c |
| SHA512 | 559eb5b381cd313c2ad4599603aa6d3b657ea72a17a0a35e6b3a3efe165260a59d3d59b5eaeb9b6095f88e1ab6b5076ea71edd8370062597f9b0308b2a2131cd |
C:\Users\Admin\AppData\Local\Temp\dwzBprMPM\n8t4bwg5BM.zip
| MD5 | e7cd7c5fbb774dfb83b089de03f0be94 |
| SHA1 | 205cba93ce83f702d87bc9040998f20b8bb314bf |
| SHA256 | 980a46f3494071436dc0a15a571ba68f9f6c51a0c55ede1a4793bbe1624e7b91 |
| SHA512 | 9775a819e5e4da7336a2bc1e11cc58c107548f9ba7b64ce59746c8d41bd53a5bf75251564e78df107c38076c2a04d83b4cae32d94b87bc5fd9ec73f03d117771 |